Skip to main content

Repository Firewall Guided Setup

Repository Firewall's guided setup automatically launches after logging in to the IQ Server as an Administrator after connecting your artifact repository to the IQ Server. The guided setup reduces the complexity of setting up Repository Firewall by configuring every repository to protect from one workflow.

The guided setup was added to IQ Server in version 168 and is compatible with Nexus Repository Pro 3.60+ and the Firewall for Artifactory plugin version 2.4.8+.

Important

The guided setup is currently intended only to run once for each connected repository manager. Resetting the guided setup is not available at this time.

Connecting your artifact repository

Connect your artifact repository to your instance of IQ Server.

Use the following steps for Nexus Repository 3 Pro:

  1. Log in to the Nexus Repository 3 Pro instance with administrator access

  2. Select the administration cog from the main menu

  3. Select IQ Server from the Administration section of the side menu

  4. Complete the IQ Server setup form

    1. Select the Enable the Use of IQ Server box

    2. Add your IQ Server URL

    3. Select an authentication method

      1. User Authentication: enter the IQ Server username and password

      2. PKI Authentication: delegate to the JVM for authentication

    4. Select Save

  5. Select Verify Connection to test the configuration

Note

We recommend using a service account when connecting Nexus Repository to the IQ Server in production environments. Consider generating user tokens as an added layer of security.

At a minimum, this account requires access to the Evaluate Individual Components permission at the Repository Managers level in IQ Server Org and Policies.

Leave the following configuration options blank unless directed by Sonatype support:

  • Properties, Connection Timeout

Use the following steps for Firewall for Artifactory:

  1. Add the IQ Server connection details to the "firewall.properties" file

  2. Alternatively, use the REST API to update the connection details after the plugin has been installed

Steps for the Repository Firewall Guided Setup

The Repository Firewall guided setup is launched by logging in as a user with "Edit IQ Elements" permissions for Repositories in the IQ Server. The setup will guide you through the following series of pages to configure protection:

  1. Enable Repository Firewall Rules

  2. Selecting Proxy Repositories

  3. Selecting Hosted Repositories

  4. Reviewing the Configuration

Step 1: Enable Repository Firewall Rules

This page allows you to enable the following Firewall protection on the Nexus Repository instance. Our recommendation is to enable protection from supply chain attacks and namespace confusion.

Supply Chain attack protection

  • The selection on this page allows this capability to be enabled on selected proxy repositories

  • The selection of proxy repositories where you wish to apply this capability is done in step 2

Namespace confusion protection

  • The selection on this page allows this capability to be enabled on selected proxy repositories.

  • The selection of hosted repositories to get the namespace from to enable this protection is done in step 3

Step 2: Selecting Proxy Repositories

Select the public-facing proxy repositories from which you are proxying open-source components. The selections on this page will enable supply chain attack protection and namespace attack protection on the selected repositories.

Select ‘Continue’ when ready to move to the next step

Step 3: Selecting Hosted Repositories

Select the hosted repositories with internal artifacts for which you want to restrict their namespaces from public-facing repositories.

Select ‘Continue’ when ready to move to the next step

Step 4: Reviewing the Configuration

Review the configuration, and select 'Launch Firewall'